Bug 192404 - Selinux prevents mysql from reading SSL certificates
Selinux prevents mysql from reading SSL certificates
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-19 09:49 EDT by Sergio Pascual
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.2.42-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-21 05:43:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sergio Pascual 2006-05-19 09:49:34 EDT
Description of problem:
mysql cannot read ssl certificates unless written in /var/lib/mysql dir. (I
suppose that the correct place for certificates is /etc/pki/tls)

Version-Release number of selected component (if applicable):
selinux-policy-2.2.38-1.fc5
mysql-server-5.0.21-2.FC5.1
How reproducible:
Always

Steps to Reproduce:
1. Enable ssl in mysql
2. Start the daemon
3. 
  
Actual results:
The certificate and private key are not read.

Expected results:
mysql can read the files

Additional info:

# ls -Z /etc/pki/tls/certs/mysql.crt
-rw-r--r--  root     mysql    user_u:object_r:cert_t          
/etc/pki/tls/certs/mysql.crt

# mysql.log

60519 15:34:11  mysqld started
Error when connection to server using SSL:3086448336:error:0200100D:system
library:fopen:Permission
denied:bss_file.c:349:fopen('/etc/pki/tls/certs/mysql.crt','r')
3086448336:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
3086448336:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:470:
Unable to get certificate from '/etc/pki/tls/certs/mysql.crt'

# audit.log

type=AVC msg=audit(1148045501.180:1638): avc:  denied  { search } for  pid=8252
comm="mysqld" name="pki" dev=dm-2 ino=1198246
scontext=user_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1148045501.180:1638): arch=40000003 syscall=5 success=no
exit=-13 a0=9776e83 a1=8000 a2=1b6 a3=9799af8 items=1 pid=8252 auid=603 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mysqld"
exe="/usr/libexec/mysqld"
type=CWD msg=audit(1148045501.180:1638):  cwd="/"
type=PATH msg=audit(1148045501.180:1638): item=0
name="/etc/pki/tls/certs/mysql.crt" flags=10
Comment 1 Daniel Walsh 2006-05-23 16:19:49 EDT
Fixed in selinux-policy-2.2.42-2.fc5

Note You need to log in before you can comment on or make changes to this bug.